cyber fraud exam:
CRYPTOGRAPHY
There are two basic types of Encryption algorithms:
(i) Symmetric encryption
(ii) Asymmetric Encryption
Symmetric Encryption: In this encryption technique the sender and receiver encrypts and decrypts the message with the same key. Examples are Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, Kuznyechik, RC4, 3DES, Skipjack etc.
Asymmetric encryption: In this encryption technique the sender encrypts the message with the receiver’s public key and the receiver decrypts the information with recipient’s private key. Hence this technique is called public key encryption. Examples are: Diffie-Hellman, RSA, ECC, ElGamal, DSA etc.
Among the various models of symmetric cipher analyzed the Rijndael is the best. Actually it is the role model of DES and AES. This model is adopted by different information security agencies like NSA, NIST and FIPS.
Among the various asymmetric ciphers, RSA is a moderate and most useful cipher for small data encryption like digital signature, ATM Pin etc.
But as discussed above, RSA (asymmetric technique) is much slower than Rijndael (symmetric technique) and other symmetric cipher techniques. But the scalability of asymmetric cryptosystem is far higher than the symmetric cryptosystem. Thus where the number of users is huge and required keys are very high, asymmetric cryptosystem proves to be superior.
A few more kinds of attacks
Phishing: Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Phishing has become rampant now a days and entities worldwide have lost their sensitive data and money.
Spoofing: In the context of computer security, a spoofing attack is a situation in which one person or program successfully pretending as another by falsifying data, thereby gaining an illegitimate advantage. Spoofing is of two types. (1) Email spoofing is the creation of email messages with a forged sender address. Because the core email protocols do not have any mechanism for authentication, it is common for spam and phishing emails to use such spoofing to mislead the recipient about the origin of the message. (2) Network spoofing-in computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of hiding the identity of the sender or impersonating another computing system.
Sniffing: Sniffing is the act of intercepting and inspecting data packets using sniffers (software or hardware devices) over the network. On the other hand, Spoofing is the act of identity
impersonation. Packet sniffing allows individuals to capture data as it is transmitted over a network and is used by network professionals to diagnose network issues, and by malicious users to capture unencrypted data, like passwords and usernames.
Spamming: Electronic spamming is the use of electronic messaging systems to send an unsolicited message (spam), especially advertising, as well as sending messages repeatedly on the same site. While the most widely recognized form of spam is email spam, the term is applied to similar abuses in other media too. Spam can also be used to spread computer viruses, Trojan or other malicious software. The objective may be identity theft, or worse (e.g., advance fee fraud). Some spam attempts to capitalize on human greed, while some attempts to take advantage of the victims' inexperience with computer technology to trick them (e.g., phishing).
Ransomware: Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may also encrypt the computer's Master File Table (MFT) or the entire hard drive. Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key.
Some examples of ransomware are Reveton, Cryptolocker, Cryptowall, Fusob and WannaCry. Wide-ranging attacks involving encryption-based ransomware began to increase through Trojans such as CryptoLocker, which had procured an estimated US$3 million before it was taken down by authorities, and CryptoWall, which was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m as ransom money by the attackers by June 2015.
In May 2017, the WannaCry ransomware attack spread through the Internet, using an exploit vector that Microsoft had issued a "Critical" patch for (MS17-010) two months before on March 14, 2017. The ransomware attack infected lakhs of users in over 150 countries, using 20 different languages to demand money from users.
Measures against attacks
Against Phishing attacks, obviously there cannot be an antivirus tool for checking. Only appropriate user education and generating awareness can prevent or reduce phishing menace
Spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated with the use of firewalls capable of deep packet inspection or by taking measures to verify the identity of the sender or recipient of a message
To protect against sniffing, we need to encrypt all important data we send or receive, scan our networks for any issues or dangers and use only trusted Wi-Fi networks.
To prevent spamming, most of the email services, viz., Gmail, Yahoo, Hotmail etc. provide filtering facilities and also enable users to categorize certain messages as spam.
Best measures for protection against ransomware are taking regular backups of data, applying OS patches regularly and using latest anti-malware solution.
Types of Computer Frauds
1. Sending hoax emails to scare people
2. Illegally using someone else’s computer or “posing” as someone else on the internet
3. Using spyware to gather information about people
4. Emails requesting money in return for “small deposits”
5. Pyramid schemes or investment schemes via computer with the intent to take and use someone else’s money
6. Emails attempting to gather personal information used to access and use credit cards or social security numbers
7. Using the computer to solicit minors into sexual alliances
8. Violating copyright laws by coping information with the intent to sell it
9. Hacking into computer systems to gather large amounts of information for illegal purposes
10. Hacking into or illegally using a computer to change information such as grades, work, reports, etc.
11. Sending computer viruses or worms with the internet to destroy or ruin someone else’s computer
Precautions
Refrain from opening e-mail and e-mail attachments from individuals you do not know. Have ALL external storage devices scanned by virus-scanning software before inserted on your PC. Secure your Internet Web browsing.
Compensation for Failure to Protect Data
A new Section 43A has been inserted to protect sensitive personal data or information possessed, dealt or handled by a body corporate in a computer resource which such body corporate owns, controls or operates. If such body corporate is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gains to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. The explanation to Section 43A defines ‘body corporate’ as any company including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Further, ‘reasonable security practices and procedures’ means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for thetime being in force and in the absence of such agreement or any law, suchreasonable security practices and procedures as may be prescribed by theCentral Government in consultation with such professional bodies rassociations as it may deem fit. ‘Sensitive personal data or information’means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or association as it may deem fit
Computer related Offences
Section 66 of the IT Act prior to its amendment, dealing with ‘Hacking
with Computer System’ has been substituted with a new Section titled as
‘Computer related Offences’. As per the new Section, if any person
dishonestly or fraudulently does any act for damage to computer system, etc.
as stated in Section 43, he shall be punishable with imprisonment for a term
which may extend to three years or with fine which may extend to Rs.5 lacs or
with both. For the purpose of this Section, the words ‘dishonestly’ and
‘fraudulently’ shall have the meanings assigned to it in Section 24 and 25 of
Indian Penal Code respectively.A host of new Sections have been added after Section 66 as Sections
66A to 66F prescribing punishment for offences such as, obscene electronic
message transmissions, identity theft, cheating by impersonation using
computer resources, violation of privacy and cyber terrorism. The details of
such offences are given below.
Section 66A deals with punishment for sending offensive messages
through communication services, etc. As per this section, any person who
sends by means of a computer resource or a communication device, -
(i) any information that is grossly offensive or has menacing
character; or
(ii) any information which he knows to be false, but for the purpose
of causing annoyance, inconvenience, danger, obstruction,
insult, injury, criminal intimidation, enmity, hatred or ill-will,
persistently by making use of such computer resources or a
communication device; or
(iii) any electronic mail message for the purpose of causing
annoyance or inconvenience or to deceive or to mislead the
addressee or recipient about the origin of such messages,
shall be punishable with imprisonment for a term, this may
extend to three years and with fine.
For the purpose of above stated Section, terms ‘electronic mail’ and
‘electronic mail message’ means a message or information created or
transmitted or received on a computer or a computer system, computer
resources or communication device including attachments in text, image,
audio, video and any other electronic record, which may be transmitted with
the message.
Section 66B deals with the punishment for dishonestly receiving stolen
computer resource or communication device. As per this Section, whoever
dishonestly receives or retains any stolen computer resource or
communication device knowing or having reason to believe, the same to be
stolen computer resource or communication device shall be punished withimprisonment of either description for a term which may extend to three years
or with fine which may extend to one lac rupees or with both.
Section 66C deals with the punishment for identity, theft. As per this
Section, whoever fraudulently or dishonestly makes use of the electronic
signature, password or any other unique identification feature of any other
person shall be punished with imprisonment of either description for a term
which may extend to three years and shall also be liable to fine which may
extend to one lac rupees.
Section 66D deals with the punishment for cheating by personation by
using computer resource. As per this Section, whoever by means for any
communication device or computer resource, cheats by personating, shall be
punished with the imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one
lac rupees.
Section 66E deals with the punishment for violation of privacy. As per
this Section, whoever intentionally or knowingly captures, publishes or
transmits the image of a private area of any person without his or her consent
under circumstances violating the privacy of that person, shall be punished
with imprisonment which may extend to three years or with fine not exceeding
Rs.2 lacs or with both.
Section 66F deals with the punishment for cyber terrorism. As per this
Section, whoever commits or conspires to commit cyber terrorism shall be
punishable with imprisonment which may extend imprisonment for life. The
offence of cyber terrorism has been defined as whoever, with intent to
threaten the unity, integrity, security or sovereignty of India or to strike terror in
the people or any section of the people by –
(i) denying or cause the denial of access to any person authorised
to access computer resources; or(ii) attempting to penetrate or access a computer resource without
authorisation or exceeding authorised access; or
(iii) introducing or causing to introduce any computer contaminant;
and by means of such conduct causes or is likely to cause death or
injuries to persons or damage to or destruction of property or disrupts or
knowing that it is likely to cause damage or disruption of supplies or services
essential to the life of the community or adversely affect the critical
information, infrastructure specified under the Section 70 dealing with protected system
CRYPTOGRAPHY
There are two basic types of Encryption algorithms:
(i) Symmetric encryption
(ii) Asymmetric Encryption
Symmetric Encryption: In this encryption technique the sender and receiver encrypts and decrypts the message with the same key. Examples are Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, Kuznyechik, RC4, 3DES, Skipjack etc.
Asymmetric encryption: In this encryption technique the sender encrypts the message with the receiver’s public key and the receiver decrypts the information with recipient’s private key. Hence this technique is called public key encryption. Examples are: Diffie-Hellman, RSA, ECC, ElGamal, DSA etc.
Among the various models of symmetric cipher analyzed the Rijndael is the best. Actually it is the role model of DES and AES. This model is adopted by different information security agencies like NSA, NIST and FIPS.
Among the various asymmetric ciphers, RSA is a moderate and most useful cipher for small data encryption like digital signature, ATM Pin etc.
But as discussed above, RSA (asymmetric technique) is much slower than Rijndael (symmetric technique) and other symmetric cipher techniques. But the scalability of asymmetric cryptosystem is far higher than the symmetric cryptosystem. Thus where the number of users is huge and required keys are very high, asymmetric cryptosystem proves to be superior.
A few more kinds of attacks
Phishing: Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Phishing has become rampant now a days and entities worldwide have lost their sensitive data and money.
Spoofing: In the context of computer security, a spoofing attack is a situation in which one person or program successfully pretending as another by falsifying data, thereby gaining an illegitimate advantage. Spoofing is of two types. (1) Email spoofing is the creation of email messages with a forged sender address. Because the core email protocols do not have any mechanism for authentication, it is common for spam and phishing emails to use such spoofing to mislead the recipient about the origin of the message. (2) Network spoofing-in computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of hiding the identity of the sender or impersonating another computing system.
Sniffing: Sniffing is the act of intercepting and inspecting data packets using sniffers (software or hardware devices) over the network. On the other hand, Spoofing is the act of identity
impersonation. Packet sniffing allows individuals to capture data as it is transmitted over a network and is used by network professionals to diagnose network issues, and by malicious users to capture unencrypted data, like passwords and usernames.
Spamming: Electronic spamming is the use of electronic messaging systems to send an unsolicited message (spam), especially advertising, as well as sending messages repeatedly on the same site. While the most widely recognized form of spam is email spam, the term is applied to similar abuses in other media too. Spam can also be used to spread computer viruses, Trojan or other malicious software. The objective may be identity theft, or worse (e.g., advance fee fraud). Some spam attempts to capitalize on human greed, while some attempts to take advantage of the victims' inexperience with computer technology to trick them (e.g., phishing).
Ransomware: Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may also encrypt the computer's Master File Table (MFT) or the entire hard drive. Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key.
Some examples of ransomware are Reveton, Cryptolocker, Cryptowall, Fusob and WannaCry. Wide-ranging attacks involving encryption-based ransomware began to increase through Trojans such as CryptoLocker, which had procured an estimated US$3 million before it was taken down by authorities, and CryptoWall, which was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m as ransom money by the attackers by June 2015.
In May 2017, the WannaCry ransomware attack spread through the Internet, using an exploit vector that Microsoft had issued a "Critical" patch for (MS17-010) two months before on March 14, 2017. The ransomware attack infected lakhs of users in over 150 countries, using 20 different languages to demand money from users.
Measures against attacks
Against Phishing attacks, obviously there cannot be an antivirus tool for checking. Only appropriate user education and generating awareness can prevent or reduce phishing menace
Spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated with the use of firewalls capable of deep packet inspection or by taking measures to verify the identity of the sender or recipient of a message
To protect against sniffing, we need to encrypt all important data we send or receive, scan our networks for any issues or dangers and use only trusted Wi-Fi networks.
To prevent spamming, most of the email services, viz., Gmail, Yahoo, Hotmail etc. provide filtering facilities and also enable users to categorize certain messages as spam.
Best measures for protection against ransomware are taking regular backups of data, applying OS patches regularly and using latest anti-malware solution.
Types of Computer Frauds
1. Sending hoax emails to scare people
2. Illegally using someone else’s computer or “posing” as someone else on the internet
3. Using spyware to gather information about people
4. Emails requesting money in return for “small deposits”
5. Pyramid schemes or investment schemes via computer with the intent to take and use someone else’s money
6. Emails attempting to gather personal information used to access and use credit cards or social security numbers
7. Using the computer to solicit minors into sexual alliances
8. Violating copyright laws by coping information with the intent to sell it
9. Hacking into computer systems to gather large amounts of information for illegal purposes
10. Hacking into or illegally using a computer to change information such as grades, work, reports, etc.
11. Sending computer viruses or worms with the internet to destroy or ruin someone else’s computer
Precautions
Refrain from opening e-mail and e-mail attachments from individuals you do not know. Have ALL external storage devices scanned by virus-scanning software before inserted on your PC. Secure your Internet Web browsing.
Compensation for Failure to Protect Data
A new Section 43A has been inserted to protect sensitive personal data or information possessed, dealt or handled by a body corporate in a computer resource which such body corporate owns, controls or operates. If such body corporate is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gains to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. The explanation to Section 43A defines ‘body corporate’ as any company including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Further, ‘reasonable security practices and procedures’ means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for thetime being in force and in the absence of such agreement or any law, suchreasonable security practices and procedures as may be prescribed by theCentral Government in consultation with such professional bodies rassociations as it may deem fit. ‘Sensitive personal data or information’means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or association as it may deem fit
Computer related Offences
Section 66 of the IT Act prior to its amendment, dealing with ‘Hacking
with Computer System’ has been substituted with a new Section titled as
‘Computer related Offences’. As per the new Section, if any person
dishonestly or fraudulently does any act for damage to computer system, etc.
as stated in Section 43, he shall be punishable with imprisonment for a term
which may extend to three years or with fine which may extend to Rs.5 lacs or
with both. For the purpose of this Section, the words ‘dishonestly’ and
‘fraudulently’ shall have the meanings assigned to it in Section 24 and 25 of
Indian Penal Code respectively.A host of new Sections have been added after Section 66 as Sections
66A to 66F prescribing punishment for offences such as, obscene electronic
message transmissions, identity theft, cheating by impersonation using
computer resources, violation of privacy and cyber terrorism. The details of
such offences are given below.
Section 66A deals with punishment for sending offensive messages
through communication services, etc. As per this section, any person who
sends by means of a computer resource or a communication device, -
(i) any information that is grossly offensive or has menacing
character; or
(ii) any information which he knows to be false, but for the purpose
of causing annoyance, inconvenience, danger, obstruction,
insult, injury, criminal intimidation, enmity, hatred or ill-will,
persistently by making use of such computer resources or a
communication device; or
(iii) any electronic mail message for the purpose of causing
annoyance or inconvenience or to deceive or to mislead the
addressee or recipient about the origin of such messages,
shall be punishable with imprisonment for a term, this may
extend to three years and with fine.
For the purpose of above stated Section, terms ‘electronic mail’ and
‘electronic mail message’ means a message or information created or
transmitted or received on a computer or a computer system, computer
resources or communication device including attachments in text, image,
audio, video and any other electronic record, which may be transmitted with
the message.
Section 66B deals with the punishment for dishonestly receiving stolen
computer resource or communication device. As per this Section, whoever
dishonestly receives or retains any stolen computer resource or
communication device knowing or having reason to believe, the same to be
stolen computer resource or communication device shall be punished withimprisonment of either description for a term which may extend to three years
or with fine which may extend to one lac rupees or with both.
Section 66C deals with the punishment for identity, theft. As per this
Section, whoever fraudulently or dishonestly makes use of the electronic
signature, password or any other unique identification feature of any other
person shall be punished with imprisonment of either description for a term
which may extend to three years and shall also be liable to fine which may
extend to one lac rupees.
Section 66D deals with the punishment for cheating by personation by
using computer resource. As per this Section, whoever by means for any
communication device or computer resource, cheats by personating, shall be
punished with the imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one
lac rupees.
Section 66E deals with the punishment for violation of privacy. As per
this Section, whoever intentionally or knowingly captures, publishes or
transmits the image of a private area of any person without his or her consent
under circumstances violating the privacy of that person, shall be punished
with imprisonment which may extend to three years or with fine not exceeding
Rs.2 lacs or with both.
Section 66F deals with the punishment for cyber terrorism. As per this
Section, whoever commits or conspires to commit cyber terrorism shall be
punishable with imprisonment which may extend imprisonment for life. The
offence of cyber terrorism has been defined as whoever, with intent to
threaten the unity, integrity, security or sovereignty of India or to strike terror in
the people or any section of the people by –
(i) denying or cause the denial of access to any person authorised
to access computer resources; or(ii) attempting to penetrate or access a computer resource without
authorisation or exceeding authorised access; or
(iii) introducing or causing to introduce any computer contaminant;
and by means of such conduct causes or is likely to cause death or
injuries to persons or damage to or destruction of property or disrupts or
knowing that it is likely to cause damage or disruption of supplies or services
essential to the life of the community or adversely affect the critical
information, infrastructure specified under the Section 70 dealing with protected system
No comments:
Post a Comment